JOINT COMMITTEE ON COMMUNICATIONS, ENERGY AND NATURAL RESOURCES díospóireacht -
Wednesday, 26 May 2010

I welcome Mr. John Mullins, chief executive officer, and Mr. David Bunworth, managing director of energy supply, from Bord Gáis.

By virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of the evidence they give this committee. If they are directed by the committee to cease giving evidence in relation to a particular matter and they continue to so do, they are entitled thereafter only to a qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and they are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise nor make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable. Members are reminded of the long-standing parliamentary practice that members should not comment on, criticise or make charges against a person outside the House or an official by name or in such a way as to make him or her identifiable.

I thank the committee for inviting us to discuss the three main issues contained in the letter from Ms Doran, namely, the events and aftermath of a laptop theft in June 2009, the Big Switch campaign, and an outlook on gas and electricity prices, which interests constituents of the committee members. I invite Mr. David Bunworth to address the laptop theft and I will speak on the findings and recommendations of the Office of the Data Protection Commissioner and the actions taken by Bord Gáis since. I will also provide an update on the current status of information and data security and protection processes in the company.

In the early hours of Friday, 5 June 2009 a break-in took place at a building located 100 yards from our head office in Joyce's Court, Dublin. We had taken these offices as short-term accommodation to cater for the rapid expansion arising from the Big Switch campaign to move into the electricity market. We discovered four laptops were stolen and immediately reported the theft to the Garda Síochána. Later in the day we telephoned the Office of the Data Protection Commissioner and informed the office of the theft. Contrary to a company directive, three of the machines were unencrypted and as the investigation progressed and we mirrored the laptops from our ICT department it became clear that a significant volume of customer data was contained on one of them. We immediately set up a project team to undertake the task of identifying and recreating the data contained on this laptop. This was a very extensive purge, requiring the identification of 800 files. It was not a clean file. We spent the next 12 days identifying every name, address and detail of every customer that contacted us with bank account details and credit card numbers. We engaged in constant contact with the Office of the Data Protection Commissioner which conducted an investigation on 15 June. We co-operated fully with that office on the investigation. Early in the week commencing 15 June, we were satisfied that all the consumer data on the laptop had been identified and recreated properly. As a consequence, we then finalised arrangements with the Irish Banking Federation to enable it to implement agreed security measures with regard to the individual bank accounts. Bord Gáis then made a public announcement on the incident on 17 June and two days later started the process of issuing letters to 93,000 customers finally identified as affected by the theft of the laptop.

The Office of the Data Protection Commissioner, ODPC, published its report on the incident in late October 2009. Bord Gáis Energy accepted the commissioner's findings and recommendations without reservation in its letter of response and outlined the measures and actions it had taken to address the issues concerned.

I would like to point out that since I joined the company as chief executive in December 2007, I had made it clear to the organisation that all laptops in the organisation should be encrypted. Reports coming to me as of February 2009 stated that three laptops were unencrypted and that those three belonged to ladies on maternity leave who had no customer service interaction. Therefore, there was an issue in terms of the reporting on the newer laptops brought in with the Big Switch campaign. That was a lapse for which we take full responsibility.

With regard to the findings of the ODPC and the actions undertaken by Bord Gáis, the commissioner found that appropriate security measures were not in place on the laptop. Bord Gáis took action on this and completed a programme of encryption of all laptops and all desktop computers by 31 July 2009. This measure continues in force. The commissioner found that appropriate measures were not in place on the sales management system to ensure "need to know" access to personal data among approved users. A strict regime of access to customer data on a "needs only" basis has now been fully implemented and is controlled by central IT. It was also found personal data was retained on the laptop for longer than was justifiable. A formal acceptable usage policy and acceptable usage agreement has been implemented throughout the company and a mandatory training awareness programme for all staff — more than 1,035 staff — has taken place. This training applies to all third parties also, including FEXCO, Conduit and other agencies that work on our behalf. It is also part of an ongoing process of induction for all new recruits. We have also instigated a number of new procedures for movers, joiners and leavers within the organisation.

The ODPC made a number of recommendations and action has been taken on these by Bord Gáis. It recommended an immediate review of all access levels to personal data and systems and that an effective system be put in place for granting, reviewing and removing access. We have completed an examination of all user access in the organisation and access on an "essential business only" regime has been implemented and management and control of user access has been placed with the central IT function. The second recommendation was that an appropriate standing governance structure be put in place. We have made the greatest changes in the organisation in this regard. There have also been significant personnel and structural changes in the organisation as a result of this incident. Committee members will understand that when a chief executive who understands everything is in order finds out an incident such as this can happen, action must be taken. An information security committee was established and two additional IT security managers appointed. Members may know we have two sides to our business, networks and energy. We now have two IT security managers appointed to both of those areas. We have also appointed an information risk officer who reports directly, outside of the IT function, to the head of internal audit. This is state-of-the-art governance in accordance with the Data Protection Commission and external consultants. All information security and data protection policies have been fully reviewed and updated. It is mandatory, as mentioned earlier, for all staff to sign the acceptable usage policy and any deviation from that policy is a serious disciplinary matter in our organisation.

It has been made abundantly clear to all staff that personal data should not be downloaded to local drives and should be maintained on networked systems for any use considered appropriate. In the incident in question, one of the four laptops was compromised. The individual involved was a data analyst who was using intermediate files, which are test files for programming rather than a full list database. One could not say the data actually made full sense. It was 834 files of test data which were required for the validation process. The data were not on the C drive but on a map drive which communicates with a central network server. The oversight was that they were being mapped back onto the laptop. Therefore, one would have to have delved into the laptop to find these data files. It was not as straightforward as instant access on the C drive. However, we still found it appropriate to liaise with the Data Protection Commissioner on the issue. We have taken action and instigated a comprehensive mandatory information security and awareness training programme for all staff and third parties and implemented an acceptable usage policy and agreement.

The measures set out represent some of the key steps taken by Bord Gáis to date. The company is well advanced in developing and implementing a best-in-class architecture for information security and data protection. An information security programme office has been established, a standing information security committee has been put in place, we have new policies on information security and data protection, which also applies to our third party contractors, we have a system in place for continuous assessment of risk, which reports to me monthly — as members will understand, I have a serious interest in this area as a result of this management lapse — and we have put in place a new information security organisation.

The break-in at the Bord Gáis premises on 5 June 2009 led to the potential exposure of personal data of a substantial number of our customers. It is fortunate that no case has arisen where such data have been exposed and none of our customers has suffered as a consequence. The incident brought to the fore inadequacies in the Bord Gáis systems and procedures and the company treated these with the utmost gravity from the outset. We are confident the comprehensive regime on information security and data protection now implemented will ensure an incident of this kind will not recur.

The launch of the Big Switch campaign, which took place on 18 February 2009, represented a fundamental step in the fulfilment of the Bord Gáis strategy I set about implementing from the time of my appointment in late 2007. The first pillar of our strategy was to be the leading energy company that would introduce dual fuel offerings to more than 1 million customers. This was to be achieved over five years, but we have achieved it in two years. We aim to provide a best-in-class customer service. Last year Bord Gáis received five international customer service awards across all sectors between Britain and Ireland for the level of customer service it offers customers, both at network and energy level. We set about to acquire and develop an electricity generation portfolio and to integrate our supply business in the North and the South. We are well advanced in that regard.

The second pillar of the strategy is investment for sustainable balance sheet growth. When I joined the company, it had a very healthy balance sheet. It still has that and we are A-minus rated by Standard & Poor's and A2 rated by Moody's. These ratings were reconfirmed in the past week. We have invested significantly in electricity and gas asset investments in Ireland. For example, over the next five years we will spend twice as much on wind farms as on gas pipelines. That is because we are at the stage of the law of diminishing returns with respect to gas pipelines here, in terms of traversing rural lands at €1 million per kilometre for transmission. We have leveraged our balance sheet strength and have entered partnerships of complementary competencies. For example, we are supporting the security of supply of gas in this country through a partnership with GDF Suez of France and Belgium on the development of a £250 million sterling salt cavern gas storage facility in Larne, County Antrim, which will service the whole island. We are making good progress on the size mix analysis for that project. We also established a separate investments division when I joined Bord Gáis. There were two people employed in that area then but we now have more than 100 people employed. Since I joined the organisation, more than 500 new people have been employed, directly and indirectly, by Bord Gáis.

The third pillar of our strategy is based on outperforming regulatory targets. We have outperformed the regulatory expectations in terms of operating cost, capital cost, extension of our gas network and the quality of our networks. We invested €170 million over the past four years and now have the most modern gas network in Europe and no longer have any cast iron network in Dublin. The cast iron network in Dublin has been fully replaced. This was vital from the safety point of view. We have exceeded the terms of our customer charter requirements. The international awards we have received from the Customer Contact Association, CCA, and the Contact Centre Management Association, CCMA, are the best testament to the quality of the service we provide.

On influencing market arrangements, the committee may have heard my views on Corrib and on security of gas supply. I would like to repeat those views. The Corrib gas project is a matter of sovereign gas security, in terms of molecular gas, which will ensure we have indigenous gas available for this market. We will continue to try to influence that agenda.

As stated, the Big Switch campaign was launched on 18 February 2009. The fundamentals are simple. First, there is no contract. We convened focus groups in rural and urban areas to discover what people wanted in the context of choice. We offered a double digit discount on existing rates. It was a simple proposition and easy to switch. The website, TheBigSwitch.ie, accounted for 50% of the total number of switchers we attracted. That is a phenomenal development and provides an indication of the importance of e-channels. We initiated a strong marketing campaign, with well organised operational support.

Bord Gáis Éireann is now the largest dual-fuel supplier in the country. We have some 200,000 dual-fuel customers. It is well over one year into the campaign and we are still taking on approximately 950 new electricity customers every day. The company now has over 1 million gas and electricity customers on the island. We launched a gas choice facility in Belfast which has been well received by SME and industrial customers in the city in recent times.

There has been a great deal of criticism at this committee and in the Dáil and the Seanad regarding the level of liberalisation in the Irish electricity market. As a result of the Big Switch campaign, Ireland has moved from being the 18th most liberalised electricity market in the world to being the second most liberalised. The campaign has actually set in motion a process towards the creation of competition in the market. We have had the highest switching rate per capita in the world during the past 12 months. Bord Gáis Éireann certainly played a role in that regard.

Real competition in the energy market is now a reality. It is noticeable that many other sectors — telecommunications, insurance, etc. — have followed our lead and that there are many advertisements on television and radio which encourage people to make the switch. We commenced a particular conditioning of the market. In the current environment people are seeking value and exemplary service.

The CER recently set out a roadmap for the deregulation of the electricity market. We welcome the fact that there are rules, but we may not have been happy about the fact that the ESB had a 60% share of the market. This still represents an element of dominance. I say this in the context of the fact that we are losing customers in the gas market. I also take the view that there might be a 60% dominant share in that market. A figure of 50% might have been more appropriate. In that context, I have previously put forward the analogy of a grocery store in which bread produced by the person who owns six of the eight most efficient bread factories is sold. Members of this and other committees might be quite concerned about the competition aspects to which this would give rise.

We welcome the intensification of competition in the gas market.

As the Senator is well aware, I worked for the ESB at the time and there was direct control of tariffs. I recall a period of 12 years in which the company did not receive a price increase. To create competition, the Houses of the Oireachtas brought forward the relevant regulations. As members are aware, the influences in this regard are not just Irish, they are also European. I accept that there has been great movement. However, we have further to go.

Competition in the gas market has intensified, particularly with the entry of Airtricity. We welcome that development. Flogas is already involved in the market and we understand the ESB may also enter it later in the year. That is good for customers because it provides choice. People can seek the best value, not only in price but also in the context of exemplary service.

There are two aspects to the outlook for the future. Members are aware that I have not been afraid to offer a view on the outlook for gas and electricity prices. The supply of gas worldwide has improved immensely, particularly in the light of the use of horizontal drilling technology for shale gas and unconventional sources of gas. Based on the use of this new technology, the American market now has 100 years of gas reserves. That is a welcome development, but it will have an impact on world gas prices.

In the past year there has been a move away from the historical linkage between gas and oil prices, from approximately 90% to in the region of 60%. This means there is a real differential between gas, as an economic product, and oil prices. We believe this trend will continue. There is a glut on the supply side. Liquefied natural gas is being brought to three new facilities in Britain and will ultimately be supplied to Ireland via our interconnectors. In conjunction with, it is hoped, the arrival of gas from the Corrib gas field, access to this cheaper form of fossil fuel will place Ireland in a very good position from a supply perspective.

In the context of what I stated about Bord Gáis Éireann spending twice as much on wind farms as on gas pipelines, it is important that gas is used as a bridging fuel as we move towards a low carbon economy. As members are aware, it will not be possible to bring all of the renewables on stream overnight. It will take ten to 15 years of hard graft, both onshore and offshore, to harness the potential of renewables.

We suffered demand destruction to a level of approximately 6% in respect of electricity and gas last year. It will be 2013 or 2014 before the level of demand for gas and electricity returns to the peaks that obtained in 2008. That is the cliff edge over which we recently looked from the point of view of demand. Our experience in this regard has been mirrored across Europe. In Spain the level of demand destruction was 10%. This means there is less demand for a much larger supply of gas. As a result, the environment for gas supplies is benign, which is good news.

We have reduced the price of gas on three occasions in the past year. Many state the position in Britain is much better. It is a case that the grass is always greener elsewhere. During the period in which we provided for three price reductions, the six suppliers in Britain only supplied one. That happened in December. The level of profits of the supply companies in Britain far exceeded the level made by Irish supply companies in the same period. The six British suppliers moved in contango on one occasion last year and introduced reductions of between 4% and 7%. Bord Gáis Éireann reduced its prices by a total of 25% in the same period under the same conditions.

In regulatory terms, we are becoming more mature and there has been good movement in respect of competition in the electricity market. We are moving towards a fully liberalised electricity market. Within two years the gas market will be fully liberalised and there will be new entrants coming in. We look forward to holding a share of the domestic gas market that will be below 60% because this will encourage real competition.

There has been a great deal of discussion about energy prices. However, the facts speak for themselves. Gas prices here are lower than the EU average. In the residential sector they are as much as 15% lower than the average. This fact is underpinned by the figures provided by EUROSTAT. We welcome the fact that the domestic gas market is open to new entrants. As the chief executive of the networks company which facilitates the switching of gas customers to other businesses, I can state we have all of the necessary systems in place to facilitate, as was the case in respect of the supply of electricity, ease of switching.

I welcome Mr. Mullins and Mr. Bunworth and thank them for their presentation. They have, to a large extent, answered many of the questions that have arisen and eased concerns with regard to what has happened. Mr. Mullins spoke with great gusto about energy matters and covered a wide range of topics. I wish him and Bord Gáis Éireann continued success.

There were two breaches of security at Bord Gáis Éireann: the first relates to a break-in at its premises, while the second relates to the information contained on one of the stolen laptops. How did this happen and why did the company deal in such a haphazard manner with information on so many customers? This matter would have been a source of great concern for the customers to whom I refer. I welcome the measures the company has taken to prevent this happening again in the future.

Our guests have stated none of the company's customers suffered as a consequence of what happened. I do not know if the stolen laptops were recovered. However, they would have contained details relating to many customer bank accounts, credit card accounts, etc. Some of the customers may not have changed their details in the interim. What assurances can our guests provide that the information to which I refer will not fall into the wrong hands and lead to customers suffering the consequences in the future? This issue is not over yet. What assurances can Bord Gáis give the people affected? I presume it has improved security at its headquarters, but my main aim is to ensure the company can assure the 93,000 customers affected that they need have no concerns that their information will be used maliciously in the future.

Bord Gáis has covered a range of issues. With regard to the Big Switch campaign, has it not come about as a consequence of the policy of the Commission on Energy Regulation? The ESB had a monopoly, but only when Bord Gáis and Airtricity reach a competitive figure of a 40% share of the market will it be liberalised. Is there a danger that there will be a big switch back to the ESB from Bord Gáis when this happens? We may be as close as a couple of months from that position. Is there a danger that there will be a switch back when the ESB is allowed compete with Bord Gáis and drop its prices? Currently, it is prevented from doing so. As a consequence, Bord Gáis was in a position to reduce its prices by the various percentages mentioned to attract customers. Is Bord Gáis concerned about the change or that there will be a big switch back? What is its policy on future pricing? It appears to be in a good position and Mr. Mullins seems to have done excellent work with the company. Will it be in a position to compete with such a threat?

Mr. Mullins referred to the future of wind energy production and I understand Bord Gáis has bought SWS Wind Farms Limited. In County Mayo, where planning permission was granted for a huge wind farm, that farm had difficulty in securing a connection to the national grid. Apparently, it can take seven years to be connected. Perhaps Bord Gáis is in a position to seek connectivity from those already in the queue, but I would like to hear its comments on the issue. We have a wind energy policy and many want to become involved in the sector, but it does not seem possible to secure a connection to the grid. One has to queue and may have to wait seven, eight or nine years. What is the position of Bord Gáis in this regard?

Mr. Mullins suggested Bord Gáis would invest twice as much in wind energy production as in gas pipelines. It has, once again, displayed a reluctance to invest in a natural gas pipeline in north Tipperary where all of the major towns have been bypassed for investment, despite the compelling argument made by various people in favour of linking Callan, for example, in County Kilkenny, Thurles in north Tipperary and Tipperary town. Once again, north Tipperary has been overlooked. I am concerned about this. Was there undue influence exerted by someone in that regard? Looking at the matter from a political viewpoint, one wonders why, with a Minister of State based in Tipperary town, the area has been overlooked again for development.

I appreciate the spirited presentation made and have no problems with regard to the general outlook. However, I would like to outline the facts regarding the ESB.

Before the regulatory system was put in place, the ESB was supplying electricity with the second lowest prices in Europe, but because of the restraints placed on it in the interests of having competition in a more open market, with good reason, it is not allowed to compete until its market share has been reduced to 60%. The questions raised by Deputy Coonan will then be important. I do not doubt the ability of Bord Gáis to hold onto its customers. That is not the issue, but I have had some sympathy for the ESB in the past while. Bord Gáis managers must often have smiled when they saw Members of the Oireachtas having a go at the ESB because of its high prices, without ever bothering to look at the legislation we had put in place to prevent it from reducing its prices, but that is how politics works.

On the stolen data, were data relating to credit cards details stolen? At the time of the theft did Bord Gáis retain full credit card numbers or just the last four digits? I understand it only kept the last four digits. Recently, however, I came across an instance where this was not the case. I am glad, therefore, that people's credit card information is safe because only the last four digits were retained.

Internal audit was mentioned as a governance issue, but I am not clear on how that works. Does the internal audit unit engage in a stress test of the process as opposed to policies? Has Bord Gáis received reports from its internal audit unit on such testing of the credit data procedure? Has it at any stage considered using cloud computing as a method to ensure nothing will be left on laptops? In other words, people would go on-line and obtain the information they need and the information would not be kept on their laptops. What is the position of Bord Gáis in that regard? It seems to provide a solution to the problem for the long term.

Mr. Mullins mentioned the Corrib gas field. I appreciate his views in that regard. I agree with him on the need for energy independence and for supplies from the Corrib gas field to come on line. I am aware that in the pipeline there is space for the inclusion of fibre optic cable and other cables that could be used, for example, to deliver broadband services to the west. Why has Bord Gáis not placed a fibre optic cable in the pipeline? If it does do so eventually, will it then be able to enter the business of selling broadband services throughout the country? I would like to hear not just the facts but also Mr. Mullins views on the matter. He has mentioned the company with which Bord Gáis has gone into business, but its name does not appear in his script.

Does Bord Gáis have a relationship withthe two new great European empires, Veolia and Electricité de France? If so, what relationship does it have with these two self-aggrandising huge empires which are taking over the world?

What wind energy storage capacity does Bord Gáis have? What plans does it have for the times when it cannot sell it? Mr. Mullins did not mention anything other than gas supplies storage.

With regard to the development of its wind farms, is Bord Gáis in a position to use the new technology available, the Proven system, which can continue to operate, no matter what is the strength of the wind? Has the technology for larger wind farms been developed to a point where we can harness the power of the wind whenever it is blowing, rather than only when it is blowing above a certain speed?

Deputy Coonan commented on the fact that one could buy grid space from others in the queue. Is it not time we found a solution to the problem of connection to the grid being blocked by persons who have no intention of building a wind farm but who have simply taken a place in the queue in order that they can sell their position to companies such Bord Gáis? Is it not time we introduced legislation to cope with this nonsense?

I ask the delegates to please excuse me if I have to leave during their responses which I will check in the Official Report.